Consultation paper: National Health (Privacy Rules 2018 review

Publication date: 4 June 2021

Download the print version

Download the Word version

About this review

The Office of the Australian Information Commissioner (OAIC) is reviewing the National Health Privacy Rules 2018 (Rules) to decide whether and how they need to be updated. This Consultation Paper is aimed at eliciting feedback on the Rules to find out what is working well and what can be improved.

The Rules are a legislative instrument issued by the Information Commissioner under section 135AA of the National Health Act 1953. They apply to Medicare Benefits Schedule (MBS) and Pharmaceutical Benefits Schedule (PBS) claims information. People make claims under the MBS and PBS for health services in Australia. To enable this, Services Australia and the Department of Health process and store information about MBS and PBS claims.

The Rules apply to Australian Government agencies that handle MBS and PBS information with particular focus on Services Australia and the Department of Health. In brief, the Rules:

• Require that information obtained from the MBS and PBS not be stored in the same database
• Specify when claims information from the two programs may be linked
• Prohibit claims information over five years old (i.e., old information) from including information that could identify an individual, and
• Specify the circumstances in which old information may be re-linked with identifiers.

Why have a review?

The Rules are due to sunset on 1 April 2022. The OAIC is therefore consulting stakeholders on the Rules to enable revision and remaking of the Rules before that date. Other factors that indicate that a review is timely include:

• Developments in information technology since 2008, which is when the contents of the Rules were last examined in depth
• The introduction of the Australian Privacy Principles (APPs) which may have changed baseline regulatory protections otherwise afforded to claims information
• The regularity and increased scale of use of information technology in the planning and provision of health services
• Public policy approaches favouring data use and re-use in research, evidence-based decision-making and the provision of government services generally
• Community attitudes and expectations regarding the handling of their personal information; in particular, certain health information.

Submissions to the review will help the Commissioner to assess the need for revisions or amendments to the Rules.

Scope of the review

The review is a general review of all the provisions of the Rules. As with previous reviews, the Commissioner’s purpose is to ensure that the Rules, in their current form, achieve the intent of section 135AA of the National Health Act and are easy to read, understand and apply in practice.

This Paper sets out information about the review process, including:

• How to provide comments
• Information about the Rules and relevant recent developments
• General questions and issues for consideration
• Specific questions about each of the main provisions contained in the Rules.

The OAIC invites comment from interested individuals, agencies and organisations on all elements and aspects of the Rules, including but not limited to their effect on individuals, the operation of MBS and PBS processes, public sector operations and policy development, open data and associated research initiatives.

Questions have been included in the Consultation Paper to help guide your feedback. It is not necessary to respond to every topic or question raised in the Paper. Nor should you feel restricted to the topics or questions we have raised. When commenting, we encourage you to provide evidence to support your feedback, including examples, case studies, statistics or other information.

While submissions may include perspectives and commentary on the Rules, the Commissioner will not consider comments on unrelated areas of the Privacy Act 1988 or other legislation. It is also relevant to note that this is a review of the Rules and not of section 135AA of the National Health Act. It is not within the scope of this review or the Commissioner’s functions to canvas amendments to the National Health Act. Any such review would occur as a separate process led by the Department of Health.

How to provide comments

Submissions can be made by:

The closing date for comments is 5pm Friday 4 June 2021.

We intend to make all submissions publicly available. Please indicate when making your submission if it contains confidential information you don’t want made public and why it should not be published. Requests for access to confidential comments will be determined in accordance with the FOI Act.

Although you may lodge submissions by email or post, email is preferred. To help us meet our accessibility obligations, we would appreciate you providing your submission in a web accessible format or, alternatively, in a format that will allow us to easily convert it to HTML code — for example Rich Text Format (.rtf) or Microsoft Word (.doc or .docx) format.

Privacy collection statement

The OAIC will only use the personal information it collects during this consultation for the purpose of considering the issues raised in the discussion paper. This will include sharing submissions with Information Integrity Solutions – a privacy consultancy that is assisting OAIC with this review.

About the Rules

In this section you can find:

• Explanatory information about the Rules
  Including their purpose, the activities they cover and their main provisions.
• Contextual information
  Including other relevant reviews, government policies and legislative reform.

The National Health (Privacy) Rules

The Rules are a legislative instrument issued by the Australian Information Commissioner. They are binding which means the public sector agencies covered by the Rules must follow them.

The Commissioner issues the Rules under section 135AA of the National Health Act. Section 135AA says that the Commissioner must issue privacy rules about how public sector agencies handle MBS and PBS claims information. Section 135AA also lists matters that the rules must cover. When revising the Rules, the Commissioner can change requirements in the Rules but cannot change the matters that section 135AA says the rules must cover.

Section 135AA was added to the National Health Act in 1991 in recognition of the special sensitivity of MBS and PBS claims information. Over the years, the Rules have been revised a number of times. The last time was in 2018.

MBS and PBS claims information

The Rules set out requirements for how public sector agencies handle MBS and PBS claims information. MBS means Medicare Benefits Schedule and PBS means Pharmaceutical Benefits Schedule. This is information that government agencies collect and use to enable payment of benefits for medical care and medicines. It is sensitive because it reveals health information about individuals and covers most of the Australian population.

The main provisions in the Rules

The Rules explain how agencies may use, store, disclose and link MBS and PBS claims information. Although some provisions in the Rules apply to all agencies, most of the Rules just apply to Services Australia and the Department of Health as they are the two main agencies that handle MBS and PBS claims information.

Key provisions in the Rules include:

• Separate storage – MBS and PBS claims information must be stored in separate databases.
• Storage without identifiers – MBS and PBS claims information must be stored without personal identification components [1] and must be stored separately from enrolment and entitlements information.
• Disclosure to the Department of Health – Services Australia may disclose claims information to the Department of Health to enable Medicare to perform ‘health provider compliance functions’. Services Australia may disclose claims information to the Department of Health in other circumstances but generally such information must not include ‘personal identification components’.
• Linkage of claims information – Services Australia and the Department of Health may link claims information held in the MBS and PBS databases but only in limited circumstances.
• Retention of linked claims information – Services Australia and the Department of Health must destroy linked claims information as soon as practicable after meeting the purpose for which it was linked.
• Old information – Claims information that is five or more years old must be stored separately from other claims information and with personal identification components removed. Old information may only be re-linked with personal identification components in certain circumstances.
• Disclosure of claims information for medical research – Services Australia may disclose identifiable claims information to researchers for the purpose of medical research if the subjects of the information consent or the research follows the NHMRC guidelines.
• Use of claims information by the Department of Health – The Department may store claims information indefinitely as long as personal identification components are removed. The Secretary of the Department may authorise other uses of MBS and PBS information but a use involving linkage is subject to certain conditions.
• Name linkage – The Department of Health may obtain the personal identification components that belong to a particular Medicare PIN from Services Australia in certain limited circumstances specified in the Rules.

Key agencies regulated by the Rules

The Rules address, in the main, Services Australia and the Department of Health. However, other government agencies are also captured in the context of holding MBS and PBS information.

Services Australia

In 2019, a machinery of government change saw the creation of Services Australia (formerly, the Department of Human Services under the Rules). Services Australia is responsible for the delivery of advice and a range of health, social and welfare payments and services. Services Australia delivers Medicare and related programs on behalf of the Department of Health, including the PBS, Australian Immunisation Register and Australian Organ Donor Register.

Services Australia uses MBS and PBS claims information to administer the respective programs (such as paying benefits), as well as for internal operational and reporting purposes.

Department of Health

The functions of the Department of Health include providing health services and, following machinery of government changes in 2015, undertaking compliance functions in accordance with various portfolio legislation. Officers of the Department are, for example, responsible for compliance functions in accordance with the Human Services (Medicare) Act 1973. Administratively, a practical arrangement exists whereby officers employed by the Department perform health provider compliance functions under delegated powers of the Chief Executive of Medicare (Services Australia).

The Department of Health uses MBS and PBS claims information for a wide range of purposes including program administration, compliance and audit, policy development and review, statistical analysis, and reporting.

Australian government agencies

In addition to specifying Services Australia and the Department of Health, the Rules pertain to any Australian government agency covered by the Privacy Act holding information that was obtained in connection with a claim for payment or benefit under the MBS or PBS.

Recent developments

A number of developments provide relevant background context to this review, such as significant changes to public policy in relation to data sharing for public purposes, changes to privacy regulation and, significantly, the burgeoning digital and data economies.

Recent amendments to the National Health Act

In 2019, the National Health Act was amended by the Health Legislation Amendment (Data‑matching and Other Matters) Act 2019. The primary intention was to enable the Chief Executive Medicare to conduct data matching of listed kinds of information – including MBS and PBS claims information – for compliance-related permitted purposes (i.e., to prevent, identify and take action against fraud and other inappropriate practice by health providers).

The amendment specifically introduced new provisions to the National Health Act that would enable data matching, notwithstanding restrictions to disclosure, matching or storage of information prescribed in the Rules issued under s 135AA.

Review of the Privacy Act

The Attorney-General’s Department is currently conducting a review of the federal Privacy Act, to ensure that ‘privacy settings empower consumers, protect their data and best serve the Australian economy.’[2] The review will examine, among other things, the scope and application of the Privacy Act as well as its interaction with other Commonwealth regulatory frameworks.

The Issues Paper highlighted the digital economy, the ability to communicate and transact with individuals online, and new and emerging technologies as developments that should be kept in mind when determining whether the Privacy Act is fit for purpose.

Data Availability and Transparency Bill

The Data Availability and Transparency Bill 2020 (the Bill) was introduced to the Australian Parliament on 9 December 2020. If enacted, the Bill would create a national scheme for organisations to request access to Australian Government data in a controlled manner for prescribed purposes, namely: (i) improving government service delivery, (ii) informing government policy and programs, and (iii) research and development.

The Bill represents the most significant step taken by the Australian Government to reform the way public sector data is accessed and used. It comes in response to the Productivity Commission’s Data Availability and Use inquiry, which identified the benefits of data in improving efficiency and productivity, as well as allowing governments and businesses to offer new kinds of products and services. The Bill is relevant to the Rules because, if enacted into law, it may enable sharing and use of MBS and PBS claims information in prescribed circumstances.

Royal Commission into Aged Care Quality and Safety

The Royal Commission into Aged Care Quality and Safety was established on 8 October 2018. One of its findings was that there is inadequate sharing of health information about older people as they move between the health and aged care systems.

Recommendation 67 of the final report specifically addresses improving data on the interaction between the health and aged care systems. This includes:

• The Australian Government should implement an aged care identifier by no later than 1 July 2022 in the MBS and PBS datasets for regular public reporting purposes
• All governments should implement a legislative framework by no later than 1 July 2023 for health and aged care data to be directly linked, shared and analysed to understand the burden of disease of current and prospective people receiving aged care and their current and future health needs.

Senate Select Committee report

The Senate Select Committee on Health (SSC on Health) was established to inquire into and report on health policy, administration and expenditure. In compiling its 2016 Sixth Interim Report, ‘Big health data: Australia’s big potential’, the SSC on Health received a significant number of stakeholder submissions in relation to improving access to and linkage between health data sets. The 2016 Report itself dedicated chapter four to the issue of MBS and PBS data linkage, and said at Recommendation 4:

“The committee recommends that given the changes in technology, and mindful of the capacity and moral obligation for governments to hold and strongly secure personal data and privacy, the government review the operation of section 135AA of the National Health Act 1953, with the aim of improving access to de‑identified MBS and PBS data for the purpose of health policy evaluation and development as well as research undertaken in the public interest.”

While this review does not canvas the appropriateness of section 135AA of the National Health Act, the recommendation highlights the tension associated with operation of the Rules in a climate where insights derived from MBS and PBS data are highly desirable.

Changes in technology

The movement of the Australian government to an e-gov model, such as the co-located services accessible via a MyGov account, reflects the government’s continued progress in the realms of digitally enabled services and technology uptake. The government has focused on making interactions between the community and agencies more seamless, as well as leveraging data from those interactions to deliver better, faster, more equitable and more intuitive services in the future.

The technologies supporting government service are also advancing, with data storage modalities no longer taking the form of a physical location (or ‘database’) on a computer within an office or building; rather, agencies are increasingly exploring the use of virtual locations, where information is stored in off-site data centres, transmitted via the internet (‘the cloud’), with access managed locally through various administrative and technical controls. The government’s Secure Cloud Strategy, which replaces the Australian Government Cloud Computing Policy of 2014, considers that ‘common shared platforms’ will continue to be explored by government through the auspices of the Digital Transformation Agency, to:

• Reduce information enclaves in agencies by providing an ability to efficiently manage information across agencies and classifications (e.g., protected, unclassified, etc), and
• Enable agencies to manage multi-provider services.

From a health sector research perspective, data linkage and privacy enhancing technologies have seen significant advancement in the years the Rules (and the preceding guidelines) have been in operation. It is now possible for very large human service datasets from multiple different sources to be linked together to produce insights while preserving the privacy of individual subjects.

This enabling technology has been matched by a growing appetite from researchers and policymakers for data linkage projects. For example, the Australian Institute of Health and Welfare (AIHW) and the Australian Bureau of Statistics (ABS) – two of the foremost accredited integrating authorities in Australia – have been increasingly involved in data linkage for policy analysis, research and statistical purposes, often involving MBS and PBS claims information.

Key issues and general questions

In this section you can find:

• Key questions for this reviewTo enable us to gauge how the Rules are operating and areas for improvement.
• Other general questions and issuesIncluding in relation to the form and function of the Rules and how they operate in practice.

Key questions for this review

This review is aimed at understanding how the Rules are currently operating, whether their provisions remain fit-for-purpose and what revision or updates may be needed.

Form and function of the Rules

Prescriptive versus principles-based

The Rules are relatively prescriptive in form. They give specific instructions on how specific agencies must store and handle claims information and the limited circumstances in which claims information may be linked, retained or rendered identifiable. This contrasts with the APPs, for example, which take a principles-based approach to regulating personal information, allowing entities greater discretion in interpreting the application of the legislation to their own circumstances.

Generally, subordinate legislation – like the Rules – would be expected to be more prescriptive than primary legislation. It adds detail and specificity to the framework established by legislation. Specificity is encouraged because subordinate legislation can be revised and updated more easily than primary legislation – it does not have to be passed by parliament. A prescriptive approach can have the positive effect of eliminating known privacy risks that would otherwise confront an officer when, for example, making decisions about claims data linkage. On the other hand, an overly prescriptive approach can inadvertently block reasonable activities or be complex to apply in practice.

Technological specificity versus technological neutrality

A side-effect of more prescriptive regulations is that they may struggle to accommodate rapidly changing information technology. In the context of these Rules, this can have two effects:

• The Rules contain requirements that have been overtaken by changes to technology and are therefore difficult to apply in practice or require inefficient workarounds to enable compliance.
• The Rules obstruct or limit reasonable use cases for claims information that have been enabled by changes to technology and digitisation of government operations.

While the Rules minimise the use of technologically specific language, there are some provisions where this is unavoidable. For example, the National Health Act says that the Rules must prohibit the storage of MBS and PBS information in the same ‘database.’ Therefore, the Rules refer to separation of ‘databases’. Other provisions, while not necessarily being technologically specific, impose requirements that may operate counter to modern data practices. For example, very short retention times for linked claims information may make use of the information difficult or discourage legitimate linkage activities.

Interaction with the APPs

In 2012 the Privacy Act 1988 was significantly amended with the introduction of the Australian Privacy Principles (APPs). The APPs regulate the handling of personal information, including health information, and establish requirements for each stage of the information lifecycle from collection of personal information through to use, storage, disclosure and disposal. The APPs replaced the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs), which applied to Australian government agencies and the private sector respectively.

To the extent that the Rules impose more specific obligations than the APPs, the Rules prevail.[3] In all other cases, the APPs apply as normal to personal information handling.

The Rules have not been significantly revised or updated since the introduction of the APPs. In practice, this means that the way the Rules interact with the APPs – and any gaps or overlap in this regard – has not yet been formally canvassed. For example, the Rules contain strict disposal provisions for claims information (particularly linked claims information). This made sense prior to the introduction of the APPs because the earlier IPPs did not contain any information disposal requirements so the Rules filled a gap. However, that changed with the APPs which now impose data disposal requirements. Therefore, a question arises as to whether certain APPs should ‘cover the field’ for health information (including MBS and PBS information) or whether the nature of MBS and PBS information demands additional controls set down in the Rules.

The Rules in practice

Modernisation and trends in government information policy

The Commissioner cannot create rules that ignore or weaken the application of section 135AA of the National Health Act. Section 135AA prescribes certain matters that must be contained in the Rules. However, there may be opportunities within the Rules and the parameters of section 135AA to retain privacy safeguards while acknowledging Australia’s maturing approach to data use and the government’s ongoing digital transformation. For example, some now believe that the Rules get the balance wrong between privacy and data use. A chief criticism of the Rules in a recent Senate Committee report was that the heavy weighting of information privacy considerations denied legitimate opportunities to access MBS and PBS datasets for research in the public interest. The Rules were characterised in some submissions to the Senate Committee as over-cautious, cumbersome and, according to the Productivity Commission, ‘complex with the restrictions creating unnecessary downsides and delays for evidence-based policy formulation’.[4]

Recent developments outlined above illustrate opportunities for alignment of the Rules with new currents in government information policy.

Specific questions about the Rules

In this section you can find:

• More detailed information about what the Rules say
• Specific questions
  About each of the main provisions contained in the Rules.

The Rules apply to Australian government agencies covered by the Privacy Act, though most provisions apply specifically to Services Australia and the Department of Health. The Rules refer to the ‘Department of Human Services’ – in this paper, we refer to that department by its current name – ‘Services Australia.’

Storing claims information in separate databases

The requirement to store data in ‘separate databases’ may no longer be meaningful in the current digital environment. However, until the National Health Act is changed, this requirement will have to remain a feature of the Rules.

Management of claims information by Services Australia

The Rules ensure that claims information in the MBS and PBS databases is stripped of personal identification components, such as name and address information, apart from a Medicare card number, or a pharmaceutical entitlements number.

These requirements apply to claims information that is not ‘old information’. Information that is more than five years old is considered ‘old information’, and this information must not be stored with any personal identification components at all, including the Medicare card number or the Pharmaceutical entitlements number.

The effect of these requirements is to lessen the privacy impact of these databases and reduce privacy risks. This could include risks that the claims information is inappropriately accessed or disclosed, or risks of function creep such as where claims information is used for unintended or unauthorised secondary uses.

Requirement for Services Australia to maintain technical standards

The Rules require Services Australia to establish standards to ensure a range of technical matters are adequately dealt with in designing a computer system to store claims information.[8] If Services Australia changes the standards, it must inform the OAIC.[9]

Services Australia is subject to other security obligations in relation to MBS and PBS claims information. These include information security requirements under APP 11 in the Privacy Act, the Australian Government’s Protective Security Policy Framework, and the Information Security Manual. This could raise a question as to whether dedicated technical standards for MBS and PBS information is necessary in view of those other security obligations. On the other hand, dedicated technical standards enable more specific requirements particularly in managing data linkage and safeguarding the data from unauthorised linking.

Medicare PINs

The Rules contain provisions on the creation of a Medicare PIN that is unique for each individual, and the purposes for which a Medicare PIN may be used or disclosed. According to the Explanatory Statement, it is intended that any such unique number be kept, as far as possible, within Services Australia and not used as an identifier for other purposes.[10] That said, Services Australia may disclose Medicare PINs in some circumstances, though usually not with the individual’s name.

Disclosure to the Department of Health

The disclosure provisions in the Rules mostly relate to how Services Australia and the Department of Health interact to enable the Department of Health to carry out delegated Medicare functions and activities. For example, the Department of Health monitors health providers and makes sure they are doing the right thing when they claim MBS and PBS benefits on behalf of their patients or customers. To carry out this function and take enforcement action, the Department of Health needs to collect and use claims information.

Disclosure of claims information to other entities other than the Department of Health must be ‘lawful’. This means that it must not be prohibited by another law and, if the information includes personal information, would need to comply with APP 6.

A later section of the Rules enables disclosure of claims information for medical research.

Linkage of claims information

The Rules state that linked claims information must not include the Medicare PIN (unless this is required by law). Historically, the Rules have stopped Services Australia or the Department of Health from establishing a data-matching program between MBS and PBS data. However, this provision has been affected by recent amendments to the National Health Act which allow data-matching involving certain information that is held or has been obtained by the Chief Executive Medicare for compliance-related permitted purposes.

Retention and reporting of linked claims information

The destruction requirements in the Rules act as a form of protection against function creep and unauthorised secondary use or disclosure of linked claims information. However, the strictness of the destruction requirements may reduce the utility of data linkage and curtail use of the linked information for reasonable and lawful purposes. Data linkage conducted in conjunction with other programs – for example, by the ABS for the Multi-Agency Data Integration Project (MADIP) – is not subject to the same strict destruction requirements.

Old information

The National Health Act states that the Rules must regulate the handling of ‘old information’. In particular, they must require old information to be stored without personal identification components and specify the circumstances in which old information may be re-linked with those components. Therefore, the OAIC cannot revise the Rules to change this storage requirement for old information. However, the OAIC can vary the circumstances in which old information may be re-linked.

Disclosure of claims information for medical research

These arrangements reflect obligations that would apply under the Privacy Act and related laws regardless. However, the inclusion of this provision relating to medical research is to clarify and provide certainty regarding how claims information may be used for medical research purposes.[12]

Use of claims information

The Rules enable linkage by the Department of Health but only in a temporary manner with a short retention period. Moreover, MBS and PBS claims information may only be linked in this temporary manner in conjunction with the Medicare PIN where there is no practical alternative.

Name linkage

There are circumstances in which it may be necessary for the Department of Health to have access to identified claims information. The Rules enable this and set restrictions on how this may occur.

Other matters including management of paper copies